Passage?

[huyz]

Can the README give sample commands to set up passage with age-plugin-se?

[huyz]

This is what I seem to have figured out so far. I think this works—I guess there is no need for "armor".

❯ age-plugin-se keygen --access-control=any-biometry-or-passcode -o ~/.age/passage.key-se.age
Public key: age1se1qv3z7fv3puagp039udc5lymlpnta7fjm6c86992xlnpg84kt7glsgv73ksl
❯ mkdir -p ~/.passage/store
❯ <~/.age/passage.key-se.age >>! ~/.passage/identities
❯ <~/.age/passage.key-se.age age-plugin-se recipients >>! ~/.passage/store/.age-recipients
❯ chmod -R go-rwx ~/.passage

[remko]

@huyz On first sight, that looks correct.

I suggest you also create a regular age key as a backup, and add the recipient to .age-recipients (and re-encrypt whatever you already encrypted). In case your machine breaks, or you lose access, or you want to access your secrets from another machine.

I'll look into adding a tutorial in the README.

[huyz]

Great suggestion!

[huyz]

Hmm it seems that in the ~/.passage/identities file, we can't mix-and-match armored regular age keys and age keys protected by age-plugin-se. Either one will work, but not both in the same file—just won't parse

[remko]

You typically don’t need multiple identities, as these are only used for decryption, and you should have enough with only your age-plugin-se private key set as an identity. As long as you encrypt to multiple recipients.

If you have different .age-recipient files with different combinations of keys, this may be an issue. There’s a ticket (with a PR) for this: FiloSottile/passage#51